← back
CVE-2019-7194

CVE-2019-7194

CVSS 9.8 CRITICALEPSS 83.0%● KEVCWE-22
Vexday Risk Score
100Fix now
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 9.8EPSS 83.0%KEV simPoC públicaNuclei simMetasploit simPatch
Lifecycle
25 Nov 2019Metasploit module available
05 Dec 2019Published on NVD
08 Jun 2022Active exploitation (CISA KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short

A flaw in Photo Station lets attackers read or change important system files on a QNAP device by controlling file paths. This is critical because it can compromise the entire system's security and data.

Technical detail

Path traversal vulnerability (CWE-22) in QNAP Photo Station allows remote, unauthenticated attackers to access or modify arbitrary system files via unvalidated file path parameters. No special preconditions are required; exploitation results in complete system compromise with high impact on confidentiality, integrity, and availability.

Summary generated and translated by AI from the official description.
This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · QNAP NAS devices running Photo Station
public PoCs found1
cve_referencepacketstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-7194https://www.qnap.com/zh-tw/security-advisory/nas-201911-25